Securizarea avansata a sistemelor de calcul
Marios Choudary UPB
Side-channel attacks
Smartcards used in many applications (e.g. banking)
Other examples: Pay-TV, transport
2
Microcontroller in smartcards
microcontroller
3
Microcontrollers “leak” information via physical side-channel
example of leakage: EM, power
4
Microcontrollers “leak” information via physical side-channel
• We may target:
• cryptographic algorithms (secret keys)
• instructions (reverse engineering)
• data (bus eavesdropping)
5
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = 0 or B = 0:
CL charges => current flows out
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = B = 1:
CL discharges => current flows in
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = B = 1:
CL discharges => current flows in
CL may be input of next gate or bus lines (large capacitance)
Use an oscilloscope to measure power consumption of a microcontroller
Trigger signal
USB to PC
Clock signal
Atmel XMEGA
Power supply Active probe
Transition of all CMOS gates affect overall power consumption
1125 1126 1127 1128 1129 1130 1131 11325
5.5
6
6.5
Sample index
mA
k=0k=255
(loading a value into a register, when the previous value on the bus was 0)
Power consumption of loading one byte with different values
k = 0, 1, …, 9
3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8 50
0.5
1
1.5
2
2.5
Milliamps
0123456789
Leakage for one sample
11
Beginnings of power analysisPaul Kocher, 1997
(see “Differential Power Analysis”, Kocher et al., CRYPTO ’98)
Differential power analysis
13
1. Select target computation: typically the S-box lookup in a block cipher (DES, AES)
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
Differential power analysis
14
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
2. Apply “divide et impera”:
a good block cipher cannot be brute-forced due to large key size:
=> we target one byte at a time: reduce brute-force from 2128 to 16*28 (in best case)
(AES ≥128 bits)
Differential power analysis
15
3. Take a large number (thousands, millions) of leakage traces 0 2 4 6 8 10
0
2
4
6
8
Time [µs]
Current
[mA]
Typically interested in a single sample
0 2 4 6 8 100
2
4
6
8
Time [µs]
Current
[mA]
0 2 4 6 8 100
2
4
6
8
Time [µs]
Current
[mA]
ti
x1
x2
xN
…
Differential power analysis
16
4. Split samples based on the value of some bit b that is a function of k and p
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
b = f (k, p)e.g. b = MSB(S-box(p k)) for AES
Dan$Boneh$
AES$is$a$Subs\Perm$network$(not$Feistel)$
inpu
t$
⨁$
S1$S2$S3$
S8$
�
output$
subs.$layer$
perm.$layer$ inversion$
k1$
⨁$
S1$S2$S3$
S8$
�
k2$S1$S2$S3$
S8$
�
⨁$
�$
kn$
5. Find k for which difference between average power consumption in the two groups is largest:
Differential power analysis
17
�k = (powerb=0 � powerb=1)
1
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
Differential power analysis
18
current [mA]0
k=0
b==0b==1
avg( ) - avg( ) 0 ≈
5. Find k for which difference between average power consumption in the two groups is largest:
�k = (powerb=0 � powerb=1)
1
b = f (k, p)
Differential power analysis
19
current [mA]0
k=1
b==0b==1
avg( ) - avg( ) 0 ≈
5. Find k for which difference between average power consumption in the two groups is largest:
�k = (powerb=0 � powerb=1)
1
b = f (k, p)
Differential power analysis
20
current [mA]0
k=42 (correct)
b==0b==1
avg( ) - avg( ) max=�k = (powerb=0 � powerb=1)
1
5. Find k for which difference between average power consumption in the two groups is largest:
b = f (k, p)
Differential power analysis
21
393Differential Power Analysis
[Kocher et al. ’99]
Correlation Power Analysis
• Test correlation between actual leakage samples (e.g. obtained with an oscilloscope) and hypothetical leakage (e.g. with Hamming Weight model and key candidate)
• Most common candidate: HW(S-box(p k))
Correlation Power Analysis• Pearson’s correlation for 2 variables X, Y:
• When X, Y are correlated, then is high
• Idea for side-channel attacks:
• Use actual leakage for X
• Use expected leakage from HW model with candidate k for Y:Y = HW(S-box(p k))
• Compute for all possible byte values k and choose k with highest
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
Correlation Power AnalysisExample from attack on real cryptographic ASIC
Left: correlation with good key as function of number of traces (N) Right: correlation as a function of key candidate for fixed N
Figure from https://iis-people.ee.ethz.ch/~kgf/acacia/c3.html
Defences andSecure IC industry
Countermeasures
26
• Noise generation: try to keep the data-dependent signal below the noise floor
• Randomise computations: make it hard to align traces
• Masking: split data into several shares and compute on those such that leakage does not depend on key/data but on random values
• Dual rail and other special hardware architectures
Industrial impact• Development of countermeasures (hardware,
software) - see Infineon, Gemalto, NXP, etc.
• Common Criteria evaluation
• Evaluation and certification laboratories
• National security evaluations
• One evaluation may cost > 100.000 EUR